Is PaaS the optimal cloud service model option for security? (Part 1 of 2)

Cloud security is an interesting thing. The three service delivery models (IaaS, PaaS, and SaaS) each have their own levels of consumer vs. provider responsibility for security, with both positives and negatives to each depending on your level of security maturity as an organization (consumer).

Is it possible then, that platform-as-a-service (PaaS) provides the best balance between consumer and provider security responsibility and thus the overall best possible delivered security posture through the combined efforts? Let's look at how PaaS (platform-as-a-service) can be not only a good balance between provider and consumer responsibility for security, but why it may be the most optimal method for reducing the most risk between the three service delivery models.

"PaaS is intended to enable developers to build their own applications on top of the platform. As a result, it tends to be more extensible than SaaS, at the expense of customer-ready features. This trade-off extends to security features and capabilities, where the build-in capabilities are less complete, but there is more flexibility to layer on additional security."

In order to understand why security is perhaps best served through a PaaS delivered cloud computing service, we first must understand the subtleties of what the above quoted paragraph means. To understand why PaaS is such an inviting option, let's start by looking at the other two service models first. SaaS (Software-as-a-Service) gives the consumer virtually zero control over security, with the notable exception of the defined role-based access which needs to fit into the provider's model.

The only chance you have to affect the security of a SaaS service is through the way that you define your customers, their access, and how their accounts are managed and expired - assuming you can make your approach fit with the service provider. In the SaaS model you don't get to tell the provider anything except who your users are, and maybe where they may legitimately come from, and what they're allowed to do. They literally do everything else.

The provider determines what measures will be used to defend your data in a shared environment including what the policy is, and the implementation details of that policy. Concept to implementation, the vendor determined what works for them and then extends the same measures to all customers. You may or not be OK with this as a customer.

So where in SaaS you have virtually no say on security matters, the exact opposite is true in the IaaS service delivery model. The vendor is providing API-based access to your shared, on-demand and metered resources. The vendor may be responsible for providing reliable and vetted administrative engineers and support analysts, and some base-level security at the physical network access level.

The provider is also responsible for the security of the cloud environment on which you host your applications and services up to the hypervisor. Everything above the hypervisor and up in the cloud stack, starting at the operating system, is your responsibility.

In the IaaS cloud service delivery model the security of your operating system, middleware, and application or service are all your responsibility. Applying OS patches, application server configurations, and software security of your code... all your problem.

It would seem that in the IaaS cloud service delivery model unless you know what you're getting into it may be quite tough to deploy a solid, risk-averse cloud-based application. Now, PaaS is different than the other two in that it is a compromise between extensibility and built-in security features. Where does the balance exist, and why is it the optimal balance? You'll have to check out part two of this post...

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.